Pulseway makes brave decision on 2FA

Pulseway has announced an improvement to its two factor authentication solution for its RMM software suite. Enterprise Times spoke to Marius Mihalec, Founder and CEO of Pulseway about the changes. That Pulseway has improved its two factor authentication is not the surprising factor. It is their approach to the change that is different. The previous version was mainly driven by email according to Mihalec. However, if passwords are compromised it seems likely that emails could be. Additionally, the email solution risked delays in delivery, frustrating clients.

Marius Mihalec, Fouder and CEO Pulseway

The growing rise of cyber security incidents, from phishing emails to ransomware has continued to heighten the publicity and the danger of breaches. New legislation means that MSP’s are more likely to share responsibility for breaches in the future. Responsible for companies infrastructure security, they need to make sure that their own is as tight as possible. The failure in many security postures is often its weakest link. Pulseway intends that it will not be them.

What is Pulseway 2FA?

The new Pulseway 2FA solution can either leverage its own mobile apps or third party solutions. The Pulseway 2FA is integrated with its Android and iOS mobile apps.

Mihalec explained the new feature saying: “If you are using Pulseway, you are using the Pulseway Mobile app. What we are going to do is that you will use the mobile app on your device to authenticate. First you enrol the trusted mobile devices that you run Pulseway mobile app on. As you try to login to the web app or any other application we will send a push notification on your mobile device. If you don’t get the push you can open the application and then you will see the 2FA prompt including the location of where the request originated with a nice map. You get the option to approve or decline.”

For now the solution will just support RMM. Enterprise Times asked Mihalec whether support would be rolled out to its PSA solution. This is a white labelled Vorex solution, also owned by Kaseya. Mihalec has recently finished discussing that with the development team. He replied: “Just RMM for now, we are working on PSA. The same method we use for RMM will be available for PSA.”

Key to this feature is that notification will only be sent to the enrolled device, or devices. Thus a user could have their iPad and mobile registered for ease of use. However, before the second device is enabled it must be authorised. Pulseway appears to have thought of that and closed most of the loopholes that some systems suffer from. In fact, Pulseway will require authentication from any device using the Pulseway app, even those predating the 2FA solution, thereby eliminating another risk.

How easy is it to set up though?

Mihalec responded: “Each user will have to set up their own device. It takes anywhere between 10 to 30 seconds to enable if you set up one time password as well as the trusted mobile device. We provide a back up code which we insist users write down somewhere safe, otherwise it is just click, select the device you want to trust, save and 2FA is enabled.”

This seems very straightforward and customers will be delighted to learn that the new enhancement is implemented at no additional charge. Importantly, this is not an optional upgrade. This is the point where Pulseway seems to be making a brave decision

Security is our responsibility

Mihalec explain how the company will roll out the new solution: “In the next two weeks our strategy is that every time a user logs in they will be strongly encouraged every time to enable 2FA. After that the administrator will be able to enforce 2FA for the entire user base.

“There is a switch which we have coded but not released, it will be done in about two weeks time. Therefore once the administrator say no accounts without 2FA. Those accounts without 2FA will not be able to use the system until they set it up. In about three-four weeks we will mandate that everyone has 2FA enabled. We are aiming for 95% to use it in the first 2-3 weeks and then we will enforce it.”

Vendors enforcing security is relatively rare but Mihalec believes it is the right approach. Mihalec added: “It is up to us, all the RMM providers to educate and help customers to be secure. We have a responsibility to keep their accounts secure.”

As he then pointed out: “It is a small price to pay compared to having your accounts hacked”

This is not, however, something that will just be switched on. The Pulseway approach has been considered carefully. Mihalec added: “The reason we are not enforcing day one is to let people familiarise themselves and not interrupt their business operation.”

Whether Pulseway will receive any complaints is hard to say. Mihalec expects a few. What is clear is that other companies should take heed and follow this approach to help secure internet facing systems. Interestingly, Mihalec has not added any whitelists to allow users to login with the two step verification.

What does this mean: Enterprise Times

Implementing its own 2FA solution is a welcome step by Pulseway. Users have been asking for it since at least 2011. Mihalec commented: “IT monitoring and management tools are getting more complex and more powerful every day, which puts an extra urge for additional security. That’s why adding the improved and convenient two-factor authentication was a necessity for our customers and users. Regardless of the nature of the second layer, it serves as a vital safeguard to your account.”

Pulseway continues to enhance its solution. It recently added user chat and a new File Transfer to the Remote Desktop. Since Enterprise Times spoke to Mihalec in 2018 the company has also seen growth. It now has nearly 5,100 paying customers.

The decision to enforce 2FA on its user base should be welcomed. Some companies and some business leaders might object but Pulseway is taking a step that software vendors should. With new legislation the vendor often shares responsibility for the data it controls. Enforcing 2FA is a step to ensure that data remains secure.

Steve Brooks has worked in IT for nearly 30 years, working through different roles to CIO in a number of vertical markets including Finance, Manufacturing and Real Estate. A qualified Project Manager. He spent 17 years at Savills plc, a FTSE 250 real estate company, rising to CIO before leaving in 2012.
Steve is Director of Consultancy at Synonym Ltd and while studying at Henley Business School for his MBA was deputy editor at www.business-cloud.com, a Dods Group publication. He joined CIC as an associate consultant in 2013.
He is a member of BCS and an associate member of the Institute of Directors.